Enabling DNSSEC
===============
+TODO - change section to disabling DNSSEC
+-- trust_anchors.keyfile_default = nil
+
The resolver supports DNSSEC including :rfc:`5011` automated DNSSEC TA updates and :rfc:`7646` negative trust anchors.
To enable it, you need to provide trusted root keys. Bootstrapping of the keys is automated, and kresd fetches root trust anchors set `over a secure channel <http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/>`_ from IANA. From there, it can perform :rfc:`5011` automatic updates for you.
+++ /dev/null
--- vim:syntax=lua:
--- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-
--- Load useful modules
-modules = {
- 'hints > iterate', -- Load /etc/hosts and allow custom root hints
- 'stats', -- Track internal statistics
- 'predict', -- Prefetch expiring/frequent records
-}
-
--- See kresd.systemd(7) about configuring network interfaces when using systemd
--- Listen on localhost (default)
--- net = { '127.0.0.1', '::1' }
-
--- Enable DNSSEC validation
-trust_anchors.file = '/etc/knot-resolver/root.keys'
-
--- Cache size
-cache.size = 100 * MB
+++ /dev/null
--- vim:syntax=lua:
--- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration
-
--- Load useful modules
-modules = {
- 'hints > iterate', -- Load /etc/hosts and allow custom root hints
- 'stats', -- Track internal statistics
- 'predict', -- Prefetch expiring/frequent records
-}
-
--- See kresd.systemd(7) about configuring network interfaces when using systemd
--- Listen on localhost (default)
--- net = { '127.0.0.1', '::1' }
-
--- To disable DNSSEC validation, uncomment the following line (not recommended)
--- trust_anchors.keyfile_default = nil
-
--- Cache size
-cache.size = 100 * MB
+++ /dev/null
--- Config file example useable for personal resolver.
--- The goal is to have a validating resolver with tiny memory footprint,
--- while actively tracking and refreshing frequent records to lower user latency.
--- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
-
--- Listen on localhost (default)
--- net = { '127.0.0.1', '::1' }
-
--- Drop root privileges
-user('knot-resolver', 'knot-resolver')
-
--- Auto-maintain root TA
-trust_anchors.file = 'root.keys'
-
--- Load Useful modules
-modules = {
- 'hints > iterate', -- Load /etc/hosts and allow custom root hints
- 'stats', -- Track internal statistics
- 'predict', -- Prefetch expiring/frequent records
-}
-
--- Smaller cache size
-cache.size = 10 * MB
+-- vim:syntax=lua:set ts=4 sw=4:
-- Config file example useable for larger resolver farms
-- In this case cache should be made as large as possible, and prefetching turned off
-- as the resolver is busy most of the time.
-- Alternative is using `etcd` as a configuration backend.
--- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
-
--- Listen on localhost and external interface
-net = { '127.0.0.1', '::1', '192.168.1.1' }
-
--- Drop root privileges
-user('knot-resolver', 'knot-resolver')
-
--- Auto-maintain root TA
-trust_anchors.file = 'root.keys'
-
+-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
+@config_defaults@
+@config_managed_ta@
-- Large cache size, so we don't need to flush ever
-- This can be larger than available RAM, least frequently accessed
-- records will be paged out as long as there's enough disk space to back it
-- Use local root server copy for performance reasons
hints.root({
- ['j.root-servers.net.'] = { '192.168.1.4', '2001:503:c27::2:30', '192.58.128.30' }
+ ['j.root-servers.net.'] = { '192.168.1.4', '2001:503:c27::2:30', '192.58.128.30' }
})
-- Apply RPZ for all clients, default rule is DENY
policy.add(policy.rpz(policy.DENY, 'blacklist.rpz'))
-
--- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
+-- vim:syntax=lua:set ts=4 sw=4:
+-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
-- Listen on all interfaces (localhost would not work in Docker)
net.listen('0.0.0.0')
net.listen('0.0.0.0', 853, {tls=true})
-
--- Auto-maintain root TA
-trust_anchors.file = '/etc/knot-resolver/root.keys'
+@config_managed_ta@
-- Load Useful modules
modules = {
+-- vim:syntax=lua:set ts=4 sw=4:
-- Config file example useable for multi-user ISP resolver
--- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
-
--- Listen on localhost and external interface
-net = { '127.0.0.1', '::1', '192.168.1.1' }
-
--- Drop root privileges
-user('knot-resolver', 'knot-resolver')
-
--- Auto-maintain root TA
-trust_anchors.file = 'root.keys'
-
+-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
+@config_defaults@
+@config_managed_ta@
-- Large cache size, so we don't need to flush often
-- This can be larger than available RAM, least frequently accessed
-- records will be paged out
--- /dev/null
+-- vim:syntax=lua:set ts=4 sw=4:
+-- Refer to manual: http://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration
+@config_defaults@
+@config_managed_ta@
+-- Load useful modules
+modules = {
+ 'hints > iterate', -- Load /etc/hosts and allow custom root hints
+ 'stats', -- Track internal statistics
+ 'predict', -- Prefetch expiring/frequent records
+}
+
+-- Cache size
+cache.size = 100 * MB
+-- vim:syntax=lua:set ts=4 sw=4:
-- Config file with split-view for internal zone
--- Refer to manual: https://knot-resolver.readthedocs.io/en/latest/daemon.html#configuration
-
--- Listen on localhost and external interface
-net = { '127.0.0.1', '::1', '192.168.1.1' }
-
--- Drop root privileges
-user('knot-resolver', 'knot-resolver')
-
--- Auto-maintain root TA
-trust_anchors.file = 'root.keys'
-
+-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
+@config_defaults@
+@config_managed_ta@
-- Load Useful modules
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
--- /dev/null
+# etc: config examples
+
+# Config snippets (build-dependant)
+if true # TODO systemd.nosocket, systemd=no
+ config_defaults = '''
+-- Network interface configuration: see kresd.systemd(7)'''
+else
+ config_defaults = '''
+-- Listen on localhost (default) and external interface
+-- net = { '127.0.0.1', '::1', '192.0.2.1' }
+
+-- Drop root privileges
+user('knot-resolver', 'knot-resolver')''' # TODO user, group
+endif
+
+if true # TODO managed_ta = false
+ config_managed_ta = '''
+-- Auto-manage DNSSEC trust anchors (RFC 5011)
+trust_anchors.file = '@0@/root.keys'
+'''.format(etc_dir)
+else
+ config_managed_ta = ''
+endif
+
+
+example_configs = [
+ 'config.cluster.in',
+ 'config.docker.in',
+ 'config.isp.in',
+ 'config.personal.in',
+ 'config.splitview.in',
+]
+
+# TODO kresd.conf
+
+# TODO configure, install
+#install_data(
+# sources: example_configs,
+# install_dir: join_paths(doc_dir, 'examples'),
+#)
# etc
-example_configs = [
- 'config.cluster',
- 'config.docker',
- 'config.isp',
- 'config.personal',
- 'config.splitview',
-]
-
etc_files = [
'icann-ca.pem',
'root.hints',
]
-install_data(
- sources: example_configs,
- install_dir: join_paths(doc_dir, 'examples'),
-)
+subdir('config')
+
install_data(
sources: etc_files,
projects / thirdparty / knot-resolver.git / commitdiff
